http://www.finjan.com/MCRCblog_RSS_feed.aspx Finjan is a global provider of proactive web security solutions that protect businesses and organizations against all types of web threats, including Spyware, Trojans and malicious code. Finjan.com © Copyright 1996 - 2007. Finjan Inc. and its affiliates and subsidiaries. All rights reserved. webmaster@finjan.com Recently, the popular social media service site, imeem.com, was compromised by permanent XSS attack – this attack is very similar to the one we discussed few month ago - XSS attack optimized by SEO techniques . Fortunately, for most cases, the XSS attack on imeem.com did not work, as the malicious IFrame was injected to the page HTML Title tag (which is being rendered as text by popular web browsers). The search term along with the malicious IFrame were also appended to the bottom of the page, this time in HTML escape form, which neutralize the attack. http://www.finjan.com/MCRCblog.aspx?EntryId=2041 Sun, 24 Aug 2008 00:00:00 GMT As covered in my previous post a new round of mass Web attacks has started during May 2008. Hackers successfully compromised a large number of government and top businesses websites worldwide to infect visitors with malware. The attack toolkit being used (which is aliased as “Asprox”) has been around for few years; however, during the last year we have noticed a rise in the number of attacks using it. The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag. http://www.finjan.com/MCRCblog.aspx?EntryId=2002 Wed, 16 Jul 2008 00:00:00 GMT It looks like the new AV buzzword of “in-the-cloud-service” has gathered momentum among Anti- Virus vendors. On June 30, 2008 an interview with Trend Micro’s CEO was published on Zdent.co.uk titled “Antivirus industry lied for 20 years “– it makes me wonder what is going to be changed in the 21st year? In the interview Trend Micro’s CEO unveiled the new vision of her company - moving to “In the Could Service” e.g. “throws all the unknown samples up into the cloud for deeper and faster pattern recognition”. What will happen if I’m offline...?. http://www.finjan.com/MCRCblog.aspx?EntryId=1993 Thu, 03 Jul 2008 00:00:00 GMT A couple of years ago, credit card numbers and bank account PINs were traded for $100 or more on sites selling that kind of stolen information. But nowadays prices have dropped to $10-$40 per item. http://www.finjan.com/MCRCblog.aspx?EntryId=1979 Wed, 18 Jun 2008 00:00:00 GMT In our recent MPOM report, we reported on a Crimeserver hosting 1.4G of unprotected stolen data, including passwords, medical data, emails etc. Many people asked us how we found the data. Was the data secure or not? http://www.finjan.com/MCRCblog.aspx?EntryId=1957 Sun, 18 May 2008 00:00:00 GMT During our ongoing research we came up against one curious site. The site is hacking/security oriented, and is located in Russia (hmm... the previous time i've cheked it was in Netherlands), and not significantly different from many other similar sites. http://www.finjan.com/MCRCblog.aspx?EntryId=1949 Wed, 07 May 2008 00:00:00 GMT During our research for the latest Malicious Page of the Month that has just released, we came across a domain that was being used as a command and control for the Crimeware that was executed on attacked machines. This domain was also used as the “drop site” for private information being harvested by that Crimeware. http://www.finjan.com/MCRCblog.aspx?EntryId=1946 Tue, 06 May 2008 00:00:00 GMT There are some things in common to most of the attack toolkit, one of which is exploit against the MDAC vulnerability (patched in 2006), MDAC is also in many cases the first exploit the attacker is trying to use. http://www.finjan.com/MCRCblog.aspx?EntryId=1917 Sun, 06 Apr 2008 00:00:00 GMT Following up on my last post, after filing a complaint with the abuse department of privacyprotect.org (and blogging about the problem), I have just received an update noting that: http://www.finjan.com/MCRCblog.aspx?EntryId=1912 Wed, 26 Mar 2008 00:00:00 GMT As part of the “closure” on the February Malicious Page of the Month, which involved meoryprof.info (taken down), and spywaresafe.net we have contacted the appropriate parties in order to notify them that these websites contain malicious code. http://www.finjan.com/MCRCblog.aspx?EntryId=1910 Wed, 19 Mar 2008 00:00:00 GMT We here at the MCRC conduct independent vulnerabilities research once in a while, in order to provide our customers the best protection we can offer. The last MS security update included fixes for 2 vulnerabilities in the MS Office Web Component that we have discovered, one of which (CVE-2007-1201) was reported to Microsoft two years ago (!!). This means a 2 year long window of vulnerability. Needless to say, Finjan customers have been protected for the last 2 years against exploitation of this vulnerability, even at times when this vulnerability has been used in the wild with no patch available. http://www.finjan.com/MCRCblog.aspx?EntryId=1908 Mon, 17 Mar 2008 00:00:00 GMT We have been working recently on a XSS attack that impacted a huge number of potential victims, as the attack itself has been “optimized” by SEO (Seacrh Engine Optimization) practices that pushed it to Google’s indexes. http://www.finjan.com/MCRCblog.aspx?EntryId=1905 Sun, 16 Mar 2008 00:00:00 GMT I’m not about to discuss the pros/cons regarding full disclosure, just to show an amusing example of it: A 0day vulnerability was discovered in “Rising” – a Chinese AV product (insecure method vulnerability) and a PoC was published at milw0rm.com. Today we found a site trying to exploit the vulnerability, but the funny thing is, it used the PoC as is (changing only the payload URL, and using obfuscation to hide it) leaving the original function name (test ) and “GO !” button to trigger it (e.g. the exploit will only run once the user clicks the “GO !” button ). Needless to say, the exploit is served as a hidden IFrame so the user won’t even see the button. http://www.finjan.com/MCRCblog.aspx?EntryId=1883 Mon, 03 Mar 2008 00:00:00 GMT While conducting research for the latest Malicious Page of the Month we have just released, we tried to track down the origins of the crimeware. http://www.finjan.com/MCRCblog.aspx?EntryId=1882 Thu, 28 Feb 2008 00:00:00 GMT As part of our on-going research we had the chance to “meet in person“ some parts of the server side operations behind the new version of the NeoSpolit toolkit. http://www.finjan.com/MCRCblog.aspx?EntryId=1863 Tue, 19 Feb 2008 00:00:00 GMT We have been watching in amazement what kind of impact our latest Malicious Page of the Month have had on the industry and media. http://www.finjan.com/MCRCblog.aspx?EntryId=1843 Thu, 17 Jan 2008 00:00:00 GMT Not a virus. Not even a malware. Neither is the runner up... It's the method of how malware is populated. http://www.finjan.com/MCRCblog.aspx?EntryId=1816 Sun, 06 Jan 2008 00:00:00 GMT